4985 matches found
VulnCheck KEV: CVE-2025-0411
7-Zip contains a protection mechanism failure vulnerability that allows remote attackers to bypass the Mark-of-the-Web security feature to execute arbitrary code in the context of the current user...
VulnCheck KEV: CVE-2025-24752
The Essential Addons for Elementor WordPress plugin is vulnerable to insufficient validation and sanitizing of the popup-selector query argument. Versions prior to 6.0.15 are affected...
VulnCheck KEV: CVE-2018-9276
Paessler PRTG Network Monitor contains an OS command injection vulnerability that allows an attacker with administrative privileges to execute commands via the PRTG System Administrator web console...
VulnCheck KEV: CVE-2024-48455
An issue in Netis Wifi6 Router NX10 2.0.1.3643 and 2.0.1.3582 and Netis Wifi 11AC Router NC65 3.0.0.3749 and Netis Wifi 11AC Router NC63 3.0.0.3327 and 3.0.0.3503 and Netis Wifi 11AC Router NC21 3.0.0.3800, 3.0.0.3500 and 3.0.0.3329 and Netis Wifi Router MW5360 1.0.1.3442 and 1.0.1.3031 allows...
VulnCheck KEV: CVE-2018-19410
Paessler PRTG Network Monitor contains a local file inclusion vulnerability that allows a remote, unauthenticated attacker to create users with read-write privileges including administrator...
VulnCheck KEV: CVE-2025-25181
Advantive VeraCore contains a SQL injection vulnerability in timeoutWarning.asp that allows a remote attacker to execute arbitrary SQL commands via the PmSess1 parameter...
VulnCheck KEV: CVE-2024-57968
Advantive VeraCore contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload files to unintended folders via upload.apsx...
VulnCheck KEV: CVE-2024-6298
Unauthorized file access in WEB Server in ABB ASPECT - Enterprise v3.08.01; NEXUS Series v3.08.01 ; MATRIX Series v3.08.01 allows Attacker to execute arbitrary code remotely...
VulnCheck KEV: CVE-2024-7097
The SOAP admin service in WSO2 products has a security vulnerability that allows the creation of new user accounts regardless of the self-registration configuration settings...
VulnCheck KEV: CVE-2024-57727
SimpleHelp remote support software contains multiple path traversal vulnerabilities that allow unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files may include server configuration files and hashed user passwords...
VulnCheck KEV: CVE-2024-25608
HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' U+FFFD, which allows...
VulnCheck KEV: CVE-2024-40891
Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the management commands that could allow an authenticated attacker to execute OS commands via Telnet...
VulnCheck KEV: CVE-2024-41710
Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, contain an argument injection vulnerability due to insufficient parameter sanitization during the boot process. Successful exploitation may allow an attacker to execute arbitrary commands within the...
VulnCheck KEV: CVE-2024-40890
Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the CGI program that could allow an authenticated attacker to execute OS commands via a crafted HTTP request...
VulnCheck KEV: CVE-2019-3980
The Solarwinds Dameware Mini Remote Client agent v12.1.0.89 supports smart card authentication which can allow a user to upload an executable to be executed on the DWRCS.exe host. An unauthenticated, remote attacker can request smart card login and upload and execute an arbitrary executable run...
VulnCheck KEV: CVE-2024-44055
A server side request forgery SSRF vulnerability is present in WordPress Oshine Modules Plugin that could allow a website to execute website requests to an arbitrary attacker-controlled domain...
VulnCheck KEV: CVE-2025-24085
Apple iOS, macOS, and other Apple products contain a user-after-free vulnerability that could allow a malicious application to elevate privileges...
VulnCheck KEV: CVE-2024-42448
From the VSPC management agent machine, under condition that the management agent is authorized on the server, it is possible to perform Remote Code Execution RCE on the VSPC server machine...
VulnCheck KEV: CVE-2024-32736
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "queryutaskverbose" function within MCUDBHelper...
VulnCheck KEV: CVE-2024-32739
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "queryptaskverbose" function within MCUDBHelper...
VulnCheck KEV: CVE-2019-13462
Lansweeper before 7.1.117.4 allows unauthenticated SQL injection...
VulnCheck KEV: CVE-2024-6205
The PayPlus Payment Gateway WordPress plugin before 6.6.9 does not properly sanitise and escape a parameter before using it in a SQL statement via a WooCommerce API route available to unauthenticated users, leading to an SQL injection vulnerability...
VulnCheck KEV: CVE-2024-32735
An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application...
VulnCheck KEV: CVE-2024-32738
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "queryptasklean" function within MCUDBHelper...
VulnCheck KEV: CVE-2025-23006
SonicWall SMA1000 Appliance Management Console AMC and Central Management Console CMC contain a deserialization of untrusted data vulnerability, which can enable a remote, unauthenticated attacker to execute arbitrary OS commands...
VulnCheck KEV: CVE-2021-26294
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files such as a data/settings/settings.xml file containing admin panel credentials, as demonstrated by dav/server.php/files/personal/%2e%2e when using the...
VulnCheck KEV: CVE-2024-32737
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "querycontractresult" function within MCUDBHelper...
VulnCheck KEV: CVE-2023-26134
Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands...
VulnCheck KEV: CVE-2021-24666
The Podlove Podcast Publisher WordPress plugin before 3.5.6 contains a 'Social & Donations' module not activated by default, which adds the rest route '/services/contributor/?P\d+, takes an 'id' and 'category' parameters as arguments. Both parameters can be used for the SQLi...
VulnCheck KEV: CVE-2024-13375
The Adifier System plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.1.7. This is due to the plugin not properly validating a user's identity prior to updating their details like password through the adifierrecover function...
VulnCheck KEV: CVE-2025-23209
Craft CMS contains a code injection vulnerability caused by improper validation of the database backup path, ultimately enabling remote code execution...
VulnCheck KEV: CVE-2022-44149
The web service on Nexxt Amp300 ARN02304U8 42.103.1.5095 and 80.103.2.5045 devices allows remote OS command execution by placing &telnetd in the JSON host field to the ping feature of the goform/sysTools component. Authentication is required...
VulnCheck KEV: CVE-2022-3573
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. Due to the improper filtering of query parameters in the wiki changes page, an attacker can execute...
VulnCheck KEV: CVE-2025-21335
Microsoft Windows Hyper-V NT Kernel Integration VSP contains a use-after-free vulnerability that allows a local attacker to gain SYSTEM privileges...
VulnCheck KEV: CVE-2024-55591
Fortinet FortiOS and FortiProxy contain an authentication bypass vulnerability that may allow an unauthenticated, remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module...
VulnCheck KEV: CVE-2025-21334
Microsoft Windows Hyper-V NT Kernel Integration VSP contains a use-after-free vulnerability that allows a local attacker to gain SYSTEM privileges...
VulnCheck KEV: CVE-2025-21333
Microsoft Windows Hyper-V NT Kernel Integration VSP contains a heap-based buffer overflow vulnerability that allows a local attacker to gain SYSTEM privileges...
VulnCheck KEV: CVE-2023-31059
Repetier Server through 1.4.10 allows ..%5c directory traversal for reading files that contain credentials, as demonstrated by connectionLost.php...
VulnCheck KEV: CVE-2025-0282
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow which can lead to unauthenticated remote code execution...
VulnCheck KEV: CVE-2024-52875
Several vulnerabilities are present in GFI KerioControl due to improper sanitization of the 'dest' GET parameter used to generate a 'Location' HTTP header. The affected endpoints include /nonauth/addCertException.cs, /nonauth/guestConfirm.cs, and /nonauth/expiration.cs. Exploitation could allow...
VulnCheck KEV: CVE-2025-0283
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution...
VulnCheck KEV: CVE-2024-50603
Aviatrix Controllers contain an OS command injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloudtype for listflightpathdestinationinstances, or srccloudtype for flightpathconnectiontest...
VulnCheck KEV: CVE-2019-18371
An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. There is a directory traversal vulnerability to read arbitrary files via a misconfigured NGINX alias, as demonstrated by api-third-party/download/extdisks../etc/config/account. With this vulnerability, the attacker can...
VulnCheck KEV: CVE-2024-3393
Palo Alto Networks PAN-OS contains a vulnerability in parsing and logging malicious DNS packets in the DNS Security feature that, when exploited, allows an unauthenticated attacker to remotely reboot the firewall. Repeated attempts to trigger this condition will cause the firewall to enter...
VulnCheck KEV: CVE-2024-33112
D-Link DIR-845L v1.01KRb03 and before is vulnerable to an operating system command injection vulnerability...
VulnCheck KEV: CVE-2022-37056
D-Link GO-RT-AC750 GORTAC750revAv101b03 and GO-RT-AC750revBFWv200b02 is vulnerable to an operating system command injection vulnerability...
VulnCheck KEV: CVE-2024-11305
A vulnerability classified as critical was found in Altenergy Power Control Software up to 20241108. This vulnerability affects the function getstatuszigbee of the file /index.php/display/statuszigbee. The manipulation of the argument date leads to sql injection. The attack can be initiated...
VulnCheck KEV: CVE-2023-47643
SuiteCRM is a Customer Relationship Management CRM software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the...
VulnCheck KEV: CVE-2024-48307
JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component /onlDragDatasetHead/getTotalData...
VulnCheck KEV: CVE-2023-31446
In Cassia Gateway firmware XC10002.1.1.2303082218 and XC20002.1.1.2303090947, the queueUrl parameter in /bypass/config is not sanitized. This leads to injecting Bash code and executing it with root privileges on device startup...